b"NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n             INDEPENDENT EVALUATION OF THE\n         NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n        COMPLIANCE WITH THE FEDERAL INFORMATION\n          SECURITY MANAGEMENT ACT (FISMA) 2011\n\n                         Report # OIG-11-12\n                         November 10, 2011\n\n\n\n\n                             William A. DeSarno\n                             Inspector General\n\n\n    Released by:                          Auditor-in-Charge:\n\n\n\n\n  James Hagen                             W. Marvin Stith, CISA\n  Deputy Inspector General                Sr. Information Technology Auditor\n\x0c   REPORT # OIG-11-12 INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n   COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n                                     Table of Contents\n\nSection                                                                             Page\n\n   I      EXECUTIVE SUMMARY                                                                  1\n\n  II      BACKGROUND                                                                         3\n\n  III     OBJECTIVE                                                                          4\n\n  IV      METHODOLOGY AND SCOPE                                                              4\n\n  V       RESULTS IN DETAIL                                                                  6\n\n                1.   NCUA needs to improve its remote access controls.                       6\n\n                2.   NCUA needs to improve its continuous monitoring                         7\n                     program.\n\n                3.   NCUA needs to improve its security authorization                        8\n                     packages.\n\n                4.   NCUA needs to improve its contingency planning                          9\n                     program.\n\n                5.   NCUA needs to improve its intrusion detection policies                  10\n                     and procedures.\n\n                6.   NCUA needs to improve its privacy program.                              11\n\n\n\n\n                                               i\n\x0cREPORT # OIG-11-12 INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n                               I. EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) for the National Credit Union Administration\n(NCUA) engaged Richard S. Carson and Associates, Inc. (Carson Associates), to\nindependently evaluate NCUA\xe2\x80\x99s information systems and security program and controls\nfor compliance with the Federal Information Security Management Act (FISMA), Title III\nof the E-Government Act of 2002.\n\nCarson Associates evaluated NCUA\xe2\x80\x99s security program through interviews,\ndocumentation reviews, technical configuration reviews, and sample testing. Carson\nAssociates evaluated NCUA against such laws, standards, and requirements as those\nprovided through FISMA, the E-Government Act, National Institute of Standards and\nTechnology (NIST) standards and guidelines, the Privacy Act, and Office of\nManagement and Budget (OMB) memoranda and security and privacy policies.\n\nNCUA has worked to further strengthen its information security and privacy programs\nduring Fiscal Year (FY) 2011. NCUA\xe2\x80\x99s accomplishments during this period include:\n\n   \xe2\x80\xa2   Improved its security configuration for servers and desktops;\n   \xe2\x80\xa2   Improved its ability to establish a fully integrated continuous monitoring program\n       by implementing automated software, which includes intrusion detection,\n       vulnerability scanning, and logging tools;\n   \xe2\x80\xa2   Developed and implemented policies and procedures for overseeing external\n       service providers;\n   \xe2\x80\xa2   Improved its contingency planning program for its FISMA systems;\n   \xe2\x80\xa2   Established, implemented and enforced security baselines for its servers and\n       desktop devices;\n   \xe2\x80\xa2   Improved its Plan of Action and Milestone process;\n   \xe2\x80\xa2   Provided Business Impact Assessments (BIAs) for its FISMA systems and is\n       currently extending the BIA study down to its regional/field offices;\n   \xe2\x80\xa2   Improved its procedures for ensuring terminated users and inactive user\n       accounts are disabled or removed from NCUA systems; and\n   \xe2\x80\xa2   Implemented continuing education requirements for its information technology\n       employees.\n\nWe identified two areas remaining from last year\xe2\x80\x99s FISMA evaluation that NCUA officials\nneed to address. NCUA needs to:\n\n   \xe2\x80\xa2   Improve remote access controls; and\n   \xe2\x80\xa2   Improve its privacy program (i.e., review its use of Personally Identifiable\n       Information and Social Security Numbers).\n\nIn addition, we identified four new findings this year where NCUA could improve its\ninformation technology security controls. Specifically, NCUA needs to:\n\n   \xe2\x80\xa2   Improve its continuous monitoring program;\n\n\n                                             1\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n   \xe2\x80\xa2   Improve its security authorization packages;\n   \xe2\x80\xa2   Improve its contingency planning program; and\n   \xe2\x80\xa2   Improve its intrusion detection policies and procedures.\n\nWe appreciate the courtesies and cooperation provided to our staff and Carson and\nAssociates staff during this audit.\n\n\n\n\n                                            2\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n                                   II. BACKGROUND\n\nThis section provides background information on the Federal Information Security\nManagement Act (FISMA) and the National Credit Union Administration (NCUA).\n\nFederal Information Security Management Act (FISMA)\n\nThe President signed into law the E-Government Act (Public Law 107-347), which\nincludes Title III, Information Security, on December 17, 2002. FISMA permanently\nreauthorized the framework laid out in the Government Information Security Reform Act\nof 2000 (GISRA), which expired in November 2002. FISMA continues the annual\nreview and reporting requirements introduced in GISRA. In addition, it includes new\nprovisions aimed at further strengthening the security of the Federal government\xe2\x80\x99s\ninformation and information systems, such as development of minimum standards for\nagency systems. In general, FISMA:\n\n   \xe2\x80\xa2   Lays out a framework for annual information technology security reviews,\n       reporting, and remediation plans.\n   \xe2\x80\xa2   Codifies existing OMB security policies, including those specified in Circular\n       A-130, Management of Federal Information Resources, and Appendix III.\n   \xe2\x80\xa2   Reiterates security responsibilities outlined in the Computer Security Act of 1987,\n       Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996.\n   \xe2\x80\xa2   Tasks NIST with defining required security standards and controls for Federal\n       information systems.\n\nThe Department of Homeland Security released the FY 2011 reporting metrics\n(June 1, 2011), which provide measures against which agency Chief Information\nOfficers, Offices of Inspector General, and Senior Agency Officials for Privacy assess\nthe status and compliance of agencies\xe2\x80\x99 information security and privacy management\nprograms. OMB issued the FY 2011 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management on September 14, 2011.\nThis document provides instructions to agencies for meeting its reporting requirements\nunder FISMA. In addition, it includes instructions for reporting on agencies\xe2\x80\x99 privacy\nmanagement programs. Furthermore, it includes clarifications to help agencies\nimplement and meet FISMA and privacy requirements.\n\nNational Credit Union Administration (NCUA)\n\nNCUA is the independent Federal agency that charters, supervises, and insures the\nnation\xe2\x80\x99s Federal credit unions. NCUA insures many state-chartered credit unions as\nwell. NCUA is funded by the credit unions it supervises and insures. NCUA's mission is\nto foster the safety and soundness of Federally-insured credit unions and to better\nenable the credit union community to extend credit for productive and provident\npurposes to all Americans, particularly those of modest means.\n\n\n\n\n                                            3\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\nNCUA strives to ensure that credit unions are empowered to make necessary business\ndecisions to serve the diverse needs of its members and potential members. It does\nthis by establishing a regulatory environment that encourages innovation, flexibility, and\na continued focus on attracting new members and improving service to existing\nmembers.\n\nNCUA has a full-time three-member Board (NCUA Board) consisting of a chairman and\ntwo members. The chairman is appointed by the President of the United States and\nconfirmed by the Senate. No more than two board members can be from the same\npolitical party, and each member serves a staggered six-year term. The NCUA Board\nregularly meets in open session each month, with the exception of August, in\nAlexandria, Virginia. In addition to its central office in Alexandria, NCUA has five\nregional offices and the Asset Management and Assistance Center (AMAC).\n\n                                     III. OBJECTIVE\n\nThe audit objective was to assist the OIG in performing an independent evaluation of\nNCUA information security and privacy management policies and procedures for\ncompliance with FISMA and Federal regulations and standards. We evaluated NCUA\xe2\x80\x99s\nefforts related to:\n\n   \xe2\x80\xa2   Efficiently and effectively managing its information security and privacy\n       management programs;\n\n   \xe2\x80\xa2   Meeting responsibilities under FISMA;\n\n   \xe2\x80\xa2   Remediating prior audit weaknesses pertaining to FISMA and other security and\n       privacy weaknesses identified; and\n\n   \xe2\x80\xa2   Implementing its Plan of Action and Milestones (POA&M)\n\nIn addition, the audit was required to provide sufficient supporting evidence of the status\nand effectiveness of NCUA\xe2\x80\x99s information security and privacy management programs to\nenable the OIG to report to OMB.\n\n                          IV. METHODOLOGY AND SCOPE\n\nWe evaluated NCUA\xe2\x80\x99s information security and privacy management programs and\npractices against such laws, standards, and requirements as those provided through\nFISMA, the E-Government Act, NIST standards and guidelines, the Privacy Act, and\nOMB memoranda and security and privacy policies.\n\nDuring this audit, we assessed NCUA information security and privacy management\nprograms in the areas identified in The Department of Homeland Security\xe2\x80\x99s FY 2011\nInspector General FISMA Reporting Metrics. These areas included: risk management,\nconfiguration management, incident response and reporting, security training, POA&M,\n\n\n                                             4\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\nremote access management, identity and access management, continuous monitoring\nmanagement, contingency planning, contractor systems, and security capital planning.\n\nWe conducted our fieldwork from August 2011 through November 2011. We performed\nour audit in accordance with generally accepted government auditing standards. The\nstandards require that we plan and perform the audit to obtain sufficient and appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\n\n\n\n                                            5\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n                                          V. RESULTS IN DETAIL\n\nInformation security and privacy program planning and management controls are\ndesigned to provide the framework and continuing cycle of activity for managing risk,\ndeveloping security and privacy policies, assigning responsibilities, and monitoring the\nadequacy of information security-related and privacy-related controls. NCUA has made\nprogress in addressing last year\xe2\x80\x99s reported deficiencies; however, some prior year\ndeficiencies remain. In addition, we identified other areas for improvement that require\nmanagement's attention. We discuss these issues below.\n\n\n1. NCUA needs to improve its remote access controls\n\nNCUA only requires one-factor authentication for remote access to its network.\n\nThis issue is a repeat finding from the FY 2010 FISMA evaluation.\n\nOMB M-07-16 requires that agencies allow remote access only with two-factor\nauthentication where one of the factors is provided by a device separate from the\ncomputer gaining access.\n\nNCUA has issued PIV cards and uses the cards for physical access to its facilities.\nHowever, NCUA officials indicated NCUA has not required the use of the PIV cards for\nremote authentication to its network because most users forgot their PIN. The majority\nof NCUA users is not centrally located and works from the field. Therefore, NCUA\nofficials indicated the agency will use its next central agency-wide meeting in April 2012\nto issue users new PINs.\n\nBy implementing OMB remote access security requirement, NCUA will help protect its\nsystems and data from the risk of unauthorized exposure. Should a breach of\ninformation occur (e.g., Financial Sector Oversight information), NCUA\xe2\x80\x99s reputation\ncould be hurt and it could have a serious adverse effect on organizational operations,\nassets, or individuals.\n\nRecommendation 1: We recommend that NCUA management require and implement\nmultifactor authentication for remote access to its network.\n\nAgency Response: We have delayed resolution of this finding due to logistical and\nfinancial concerns and have accepted this risk. We will implement two factor\nauthentication at the national conference. This plan has been communicated to OMB\nunder the requirements of HSPD-12 and PIV implementation.\n\nOIG Response: The OIG concurs. 1\n\n\n\n1\n    NCUA\xe2\x80\x99s conference is scheduled for April 2012.\n\n\n                                                     6\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n2. NCUA needs to improve its continuous monitoring program.\n\nWhile NCUA has some automated tools (e.g., intrusion detection, Secure Content\nAutomation Protocol), and policies and procedures that would be components of a\ncontinuous monitoring program, NCUA has not completely implemented its continuous\nmonitoring strategy and program. Specifically, the agency does not have documented\ncontinuous monitoring policies and procedures and has not fully integrated the various\ncomponents of its information security program into a strategy that facilitates near\nreal-time monitoring and risk management.\n\nNIST SP-800-37, Revision 1 guides that a robust continuous monitoring program\nrequires the active involvement of information system owners and common control\nproviders, chief information officers, senior information security officers, and authorizing\nofficials. The monitoring program allows an organization to:\n\n    \xe2\x80\xa2   Track the security state of an information system on a continuous basis; and\n\n    \xe2\x80\xa2   Maintain the security authorization for the system over time in highly dynamic\n        environments of operation with changing threats, vulnerabilities, technologies,\n        and missions/business processes.\n\nIn addition, continuous monitoring of security controls using automated support tools\nfacilitates near real-time risk management and represents a significant change in the\nway security authorization activities have been employed in the past. Near real-time\nrisk management of information systems can be facilitated by employing automated\nsupport tools to execute various steps in the Risk Management Framework 2 including\nauthorization-related activities. In addition to vulnerability scanning tools, system and\nnetwork monitoring tools, and other automated support tools that can help to determine\nthe security state of an information system, organizations can employ automated\nsecurity management and reporting tools to update key documents in the authorization\npackage including the security plan, security assessment report, and plan of action and\nmilestones.\n\nFurthermore, an effective organization-wide continuous monitoring program includes:\n\n    \xe2\x80\xa2   Configuration management and control processes for organizational information\n        systems;\n\n    \xe2\x80\xa2   Security impact analyses on proposed or actual changes to organizational\n        information systems and environments of operation;\n\n\n\n\n2\n The Risk Management Framework is a six-step process, which essentially replaces the traditional Certification and\nAccreditation process. The intent of this common framework is to improve information security, strengthen risk\nmanagement processes, and encourage reciprocity among federal agencies.\n\n\n                                                         7\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n   \xe2\x80\xa2   Assessment of selected security controls (including system-specific, hybrid, and\n       common controls) based on the organization-defined continuous monitoring\n       strategy;\n\n   \xe2\x80\xa2   Security status reporting to appropriate organizational officials; and\n\n   \xe2\x80\xa2   Active involvement by authorizing officials in the ongoing management of\n       information system-related security risks.\n\nBy formally establishing a continuous monitoring strategy and program, NCUA can meet\nFederal requirements for continuous near real-time monitoring of its information security\nprogram, which would enhance its ability to maintain the confidentiality, integrity, and\navailability of NCUA systems and data.\n\nRecommendation 2: We recommend that NCUA management document and\nimplement its continuous monitoring strategies, policies and procedures under the Risk\nManagement Framework.\n\nAgency Response: OCIO will develop over-arching policy that establishes the\nparameters of agency continuous monitoring. This policy will include a newly\nestablished security calendar with all security events to ensure continuous monitoring of\nall recurring events. OCIO will also update policy to articulate what items must be\nincluded in the calendar. Existing monitoring of the IDS will not be included in the\ncalendar as that is a real-time system.\n\nOIG Response: The OIG concurs.\n\n\n3. NCUA needs to improve its security authorizations.\n\nNCUA\xe2\x80\x99s Asset Management and Assistance Center (AMAC) security plan does not\naddress each of the minimum security controls applicable to the system\xe2\x80\x99s security\ncategorization. In addition, the AMAC security plan does not match the control families\nidentified in SP 800-53. For example, the AMAC security plan does not address the\nsecurity controls for Risk Assessment Policy and Procedures, Security Categorization,\nRisk Assessment, and Vulnerability Scanning as required by SP 800-53.\n\nNIST SP 800-53, Revision 3 provides guidelines for selecting and specifying security\ncontrols for information systems supporting the executive agencies of the Federal\ngovernment to meet the requirements of FIPS 200. The guidelines apply to all\ncomponents of an information system that process, store, or transmit Federal\ninformation. The guidelines have been developed to help achieve more secure\ninformation systems and effective risk management within the Federal government by:\n\n\n\n\n                                             8\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n   \xe2\x80\xa2   Facilitating a more consistent, comparable, and repeatable approach for\n       selecting and specifying security controls for information systems and\n       organizations; and\n\n   \xe2\x80\xa2   Providing a recommendation for minimum security controls for information\n       systems categorized in accordance with FIPS 199, Standards for Security\n       Categorization of Federal Information and Information Systems.\n\nNCUA officials indicated the AMAC security plan is outdated because it was prepared\nunder NIST SP 800-26 (April 2005). NIST superseded this guidance with NIST\nSP 800-53. The current guidance is NIST SP 800-53, Revision 3, dated August 2009.\n\nBy having security authorization packages that meet current government standards,\nNCUA can help eliminate or reduce potential system vulnerabilities. Ultimately, this\ncould help protect the confidentiality, integrity, and availability of NCUA\xe2\x80\x99s systems and\ndata.\n\nRecommendation 3: We recommend that NCUA management update the AMAC\nsecurity plan to comply with current Federal standards and guidance.\n\nAgency Response: OCIO will work with AMAC to update the AMAC security plan and\ninclude it as another appendix to the GSS security plan. This will consolidate all NCUA\nsystems into one system and more closely align our operations with the new continuous\nmonitoring model set forth by OMB.\n\nOIG Response: The OIG concurs.\n\n\n4. NCUA needs to improve its contingency planning program.\n\nNCUA\xe2\x80\x99s contingency plan for its AMAC system is three years old and outdated. In\naddition, NCUA has not tested the contingency plan within the past year.\n\nOMB Circular A-130 requires agencies to establish and periodically test the capability to\nperform the agency function supported by the application in the event of failure of its\nautomated support.\n\nNIST SP 800-34, Revision 1 requires agencies to ensure contingency plan\nmaintenance. The guidance indicates the plan should be a living document that is\nupdated regularly to remain current with system enhancements and organizational\nchanges.\n\nNCUA officials informed us the agency has not updated and tested the AMAC\ncontingency plan because the system is undergoing a modification where major\nportions of the system will reside on the NCUA General Support System.\n\n\n\n\n                                             9\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\nUpdating and testing the AMAC system contingency plan will reduce the potential\nimpact on AMAC in the event its system becomes nonoperational. NCUA can minimize\nits efforts to recover AMAC with an accurate, current and tested contingency plan.\n\n\nRecommendation 4: We recommend that NCUA management update and test the\nAMAC system contingency plan.\n\nAgency Response: OCIO will work with AMAC to complete the existing effort to add\npart of the AMAC operation to the GSS contingency plan and have that data available at\nthe DR site. OCIO will assist AMAC to update the existing contingency plan to address\nall other residual data and the AFTECH system.\n\nOIG Response: The OIG concurs.\n\n\n5. NCUA needs to improve its intrusion detection policies and procedures.\n\nIn response to the OIG\xe2\x80\x99s FY 2010 independent evaluation of NCUA\xe2\x80\x99s compliance with\nFISMA, NCUA indicated it was implementing in-house intrusion detection in place of\nusing a third-party service provider. In addition, NCUA indicated it would implement\nprocedures governing security parameters and response times to adequately secure its\nperimeter. While NCUA has since implemented in-house intrusion detection, and\ndeveloped intrusion detection policies and procedures, its policies and procedures do\nnot include response times for addressing vulnerabilities. In addition, NCUA does not\nhave a means to monitor the remediation of vulnerabilities through completion.\n\nNIST SP 800-137 guides that within the context of an information system continuous\nmonitoring program, intrusion detection/prevention systems (IDPSs) can be used to\nsupply evidence of the effectiveness of security controls (e.g., policies, procedures, and\nother implemented technical controls), document existing threats, and deter\nunauthorized use of information systems. IDPSs may also provide supporting data to\nassist organizations in meeting US-CERT incident reporting requirements and in\nresponding to OMB and agency CIO reporting requirements in the areas of system and\nconnections inventory, security incident management, boundary protections, and\nconfiguration management.\n\nBy documenting specific security considerations, response time requirements and other\nguidelines in intrusion detection policies and procedures, NCUA management would\ninstitutionalize formal guidelines that would help maintain the confidentiality, availability,\nand integrity of NCUA data and systems.\n\n\n\n\n                                              10\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\nRecommendation 5: We recommend that NCUA management:\n\n   \xe2\x80\xa2   Update its Intrusion Detection policies and procedures to establish maximum\n       allowable response times for addressing security incidents.\n\n   \xe2\x80\xa2   Implement a tracking system to monitor the status of vulnerabilities.\n\nAgency Response: OCIO has updated the GSS with timelines and will document\nspecific procedures to track vulnerabilities to resolution.\n\nOIG Response: The OIG concurs.\n\n\n6. NCUA needs to improve its privacy program.\n\nWhile NCUA staff indicated the agency has performed a limited inventory of Personally\nIdentifiable Information (PII), NCUA has not performed a complete review of its holdings\nof PII, and if necessary, reduced its use of PII and Social Security Numbers (SSNs).\n\nThis is a repeat finding from the FY 2010 FISMA Review.\n\nNIST SP 800-122 guides that:\n\n   \xe2\x80\xa2   Organizations should identify all PII residing in their environment.\n\n   \xe2\x80\xa2   Organizations should minimize the use, collection, and retention of PII to what is\n       strictly necessary to accomplish their business purpose and mission. The\n       likelihood of harm caused by a breach involving PII is greatly reduced if an\n       organization minimizes the amount of PII it uses, collects, and stores.\n\nOMB M-07-16 required that:\n\n   \xe2\x80\xa2   Agencies review current holdings and reduce the volume of PII.\n\n   \xe2\x80\xa2   Reduce the use of Social Security Numbers and eliminate any unnecessary use,\n       and explore alternatives for a personal identifier for both Federal employees and\n       in Federal programs.\n\n   \xe2\x80\xa2   Agency-specific implementation plans and progress updates regarding this\n       review will be incorporated as requirements in agencies\xe2\x80\x99 annual reports under\n       FISMA. Following this initial review, agencies must develop and make public a\n       schedule by which they will periodically update the review of their holdings. This\n       schedule may be part of an agency\xe2\x80\x99s annual review and any consolidated\n       publication of minor changes of Privacy Act Systems of Records Notices\n       (SORN).\n\n\n\n                                            11\n\x0cREPORT # OIG-11-12: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2011\n\n\n\n   \xe2\x80\xa2   Within 120 days from the date of the memo (May 22, 2007), agencies must\n       establish a plan in which the agency will eliminate the unnecessary collection and\n       use of Social Security Numbers within eighteen months.\n\nBy performing a review to determine the amount of PII and use of SSNs at NCUA, and if\nnecessary, reducing the amount of PII and use of SSNs, NCUA will reduce the risk of\nexposing its sensitive data to a breach of confidentiality by an authorized or\nunauthorized entity. Ultimately, this could prevent public embarrassment for the agency\nand a loss of trust by the public.\n\n\nRecommendation 6: We recommend that NCUA management:\n\n   \xe2\x80\xa2   Review current holdings of Personally Identifiable Information and, if necessary,\n       develop a plan to reduce any unnecessary use of PII and provide progress\n       updates.\n\n   \xe2\x80\xa2   Review and if necessary, create and execute a schedule to eliminate any\n       unnecessary collection and use of Social Security Numbers, and if applicable,\n       explore alternatives for a personal identifier for Federal employees and in\n       Federal programs.\n\nAgency Response: The Office of General Counsel agrees with the recommendations.\nIn September 2011, our Office was reorganized with a section devoted to Administrative\nLaw. This section is now responsible for issues arising out of the Privacy Act and the\nAssociate General Counsel for Administrative Law is now the Senior Agency Official for\nPrivacy. Privacy issues, including identification and elimination of unnecessary SSNs\nand other PII, will be given a higher priority. Working with the Office of Human\nResources, the Office has begun privacy training for supervisory personnel. In the 2012\nfiscal year, the Office will develop an inventory of PII and plans to work with the Office of\nChief Information Officer in implementing software they have obtained to identify SSNs\nand to then reduce any unnecessary use of PII, including SSNs.\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                             12\n\x0c"